This disclosure relates to Network Address Translator (NAT) devices. More particularly, this disclosure relates to a method and apparatus that is able to identify the number of host computers behind a NAT device.
While this disclosure is particularly directed towards analyzing traffic associated with NAT hosted computers, in order to accurately determine the number of computers sharing a NAT device, and thus will be described with particular reference thereto, it will be appreciated that the disclosure may have usefulness in other fields and applications. For example, this disclosure may be useful in a variety of services that have a need for reliably identifying subscribers to a carriers' network using live traffic in real-time detection.
By way of background, a NAT device is commonly used in Internet Protocol (IP) translation and mapping technology. These devices are often used to allow users to share internet access with a plurality of devices via one address. Wireless data subscribers may have a service plan that allows them unlimited data access. However, the service plan may restrict the users from sharing the internet access with others. Because a NAT device uses a small number of IP addresses (usually one), but can act as a point of access for many different hosts, there is a particular emphasis for carrier network providers to identify how many host computers are hiding behind a NAT device. Once the number of host computers is identified, the carrier network may find it useful to restrict multiple users from sharing one IP address.
There are a variety of reasons why a carrier network may want to know how many computers are sharing a particular NAT device. One reason is because of limited bandwidth. If many host computers are using only one NAT device, then the service may be slow due to bandwidth restraints. Another reason is because shared access may allow for attacks, where the culprit may be hard to pinpoint. Because a NAT device hides the host computer's IP address, an unauthorized user may launch attacks to websites without being detected.
Reliably detecting NAT devices can be difficult because they are virtually indistinguishable from a host computer. However, there are a few methods known in the art that attempt to correct this problem. One technique is based on observations that, on many operating systems, the IP headers identification field is a simple counter. By suitable processing of trace data, packets emanating from the individual machines may be isolated and thereby allowing a counter to count the number of machines. This technique is described by Steven M. Belovin in his article entitled “A Technique for Counting NATted Hosts”, Proceedings of the 2nd ACM SIGCOMM Workshop on Internet Measurements, Session 9, pages 267-272, 2002, Marseille, France. This reference is hereby fully incorporated by reference.
This method, however, does have drawbacks. For example, these methods tend to only work when the network addresses are static. When the IP addresses are assigned dynamically to the subscriber every time they connect to the network, the previously mentioned methods tend to fail by generating many false detections of multiple host computers. Moreover, the existing solutions only work offline by analyzing captured network traces. Therefore, real-time detection is not realized.
There is a need in the industry for an apparatus and method that can detect host computers behind a NAT, even when the network addresses are assigned dynamically. Furthermore, there is a need in the industry to detect network activity in real-time through working with live traffic.
The present disclosure contemplates a new and improved system and method which resolves the above-referenced difficulties and others.